Comment # 18 on bug 1202821 from 
(In reply to Michal Koutn��� from comment #13)
> me (systemd, +cc systemd-maintainers) may want to check why device rules are
> not properly applied.

From the dump:
> -> Unit libpod-955b615b984df586c92fdc7177ab4a8338bdbad109c3b9fc151ec90e7f420812.scope:
> ...
> CGroup realized: yes
> CGroup realized mask: cpu cpuset io memory pids bpf-firewall bpf-devices bpf-foreign
> ...
> DeviceAllow: /dev/char/10:200 rwm
> DeviceAllow: /dev/char/5:2 rwm
> DeviceAllow: /dev/char/5:0 rwm
> DeviceAllow: /dev/char/1:9 rwm
> DeviceAllow: /dev/char/1:8 rwm
> DeviceAllow: /dev/char/1:7 rwm
> DeviceAllow: /dev/char/1:5 rwm
> DeviceAllow: /dev/char/1:3 rwm

This shows that systemd realized bpf-devices (i.e. BPF programs attached) and
DeviceAllow: list does not list the pts wildcard.

/dev/pts devices should not be accessible at this moment. They are allowed
though because runc modifies BPF predicates (thanks Fabian for checking with
bpftool) but doesn't tell systemd about that. After `systemctl daemon-reload`
PID just applies what it was told about, that's correct behavior.

You are receiving this mail because: